* [PATCH net-next v2] icmp: Add icmp_timestamp_ignore_all to control ICMP_TIMESTAMP
@ 2024-05-20 8:53 ye.xingchen
2024-05-21 8:57 ` Paolo Abeni
2024-05-21 9:25 ` Florian Westphal
0 siblings, 2 replies; 3+ messages in thread
From: ye.xingchen @ 2024-05-20 8:53 UTC (permalink / raw)
To: davem
Cc: edumazet, kuba, pabeni, corbet, dsahern, ncardwell, soheil,
haiyangz, lixiaoyan, ye.xingchen, mfreemon, david.laight, netdev,
linux-doc, linux-kernel, fan.yu9, he.peilin, xu.xin16,
yang.yang29, yang.guang5, zhang.yunkai
From: YeXingchen <ye.xingchen@zte.com.cn>
The CVE-1999-0524 vulnerability is associated with ICMP
timestamp messages, which can be exploited to conduct
a denial-of-service (DoS) attack. In the Vulnerability
Priority Rating (VPR) system, this vulnerability was
rated as a medium risk in May of this year.
Link:https://www.tenable.com/plugins/nessus/10113
To protect embedded systems that cannot run firewalls
from attacks exploiting the CVE-1999-0524 vulnerability,
the icmp_timestamp_ignore_all sysctl is offered as
an easy solution, which allows all ICMP timestamp
messages to be ignored, effectively bypassing the
potential exploitation through the CVE-1999-0524
vulnerability. It enables these resource-constrained
systems to disregard all ICMP timestamp messages,
preventing potential DoS attacks, making it an ideal
lightweight solution for such environments.
Signed-off-by: YeXingchen <ye.xingchen@zte.com.cn>
Reviewed-by: xu xin <xu.xin16@zte.com.cn>
Reviewed-by: zhang yunkai <zhang.yunkai@zte.com.cn>
Reviewed-by: Fan Yu <fan.yu9@zte.com.cn>
CC: he peilin <he.peilin@zte.com.cn>
Cc: Yang Yang <yang.yang29@zte.com.cn>
Cc: Yang Guang <yang.guang5@zte.com.cn>
---
v1->v2
fixes according to
https://lore.kernel.org/all/20240517172639229ec5bN7VBV7SGEHkSK5K6f@zte.com.cn/
1.fix the compile warning
2.change description.
Documentation/networking/ip-sysctl.rst | 6 ++++++
.../networking/net_cachelines/netns_ipv4_sysctl.rst | 1 +
include/net/netns/ipv4.h | 1 +
include/uapi/linux/sysctl.h | 1 +
net/ipv4/icmp.c | 10 ++++++++++
net/ipv4/sysctl_net_ipv4.c | 9 +++++++++
6 files changed, 28 insertions(+)
diff --git a/Documentation/networking/ip-sysctl.rst b/Documentation/networking/ip-sysctl.rst
index bd50df6a5a42..41eb3de61659 100644
--- a/Documentation/networking/ip-sysctl.rst
+++ b/Documentation/networking/ip-sysctl.rst
@@ -1441,6 +1441,12 @@ icmp_ratelimit - INTEGER
Default: 1000
+icmp_timestamp_ignore_all - BOOLEAN
+ If set non-zero, then the kernel will ignore all ICMP TIMESTAMP
+ requests sent to it.
+
+ Default: 0
+
icmp_msgs_per_sec - INTEGER
Limit maximal number of ICMP packets sent per second from this host.
Only messages whose type matches icmp_ratemask (see below) are
diff --git a/Documentation/networking/net_cachelines/netns_ipv4_sysctl.rst b/Documentation/networking/net_cachelines/netns_ipv4_sysctl.rst
index 9b87089a84c6..ed72f67c8f72 100644
--- a/Documentation/networking/net_cachelines/netns_ipv4_sysctl.rst
+++ b/Documentation/networking/net_cachelines/netns_ipv4_sysctl.rst
@@ -38,6 +38,7 @@ u8 sysctl_icmp_ignore_bogus_error_responses
u8 sysctl_icmp_errors_use_inbound_ifaddr
int sysctl_icmp_ratelimit
int sysctl_icmp_ratemask
+u8 sysctl_icmp_timestamp_ignore_all
u32 ip_rt_min_pmtu - -
int ip_rt_mtu_expires - -
int ip_rt_min_advmss - -
diff --git a/include/net/netns/ipv4.h b/include/net/netns/ipv4.h
index c356c458b340..7364c469e7eb 100644
--- a/include/net/netns/ipv4.h
+++ b/include/net/netns/ipv4.h
@@ -113,6 +113,7 @@ struct netns_ipv4 {
u8 sysctl_icmp_echo_ignore_broadcasts;
u8 sysctl_icmp_ignore_bogus_error_responses;
u8 sysctl_icmp_errors_use_inbound_ifaddr;
+ u8 sysctl_icmp_timestamp_ignore_all;
int sysctl_icmp_ratelimit;
int sysctl_icmp_ratemask;
diff --git a/include/uapi/linux/sysctl.h b/include/uapi/linux/sysctl.h
index 8981f00204db..ef8640947f4e 100644
--- a/include/uapi/linux/sysctl.h
+++ b/include/uapi/linux/sysctl.h
@@ -426,6 +426,7 @@ enum
NET_TCP_ALLOWED_CONG_CONTROL=123,
NET_TCP_MAX_SSTHRESH=124,
NET_TCP_FRTO_RESPONSE=125,
+ NET_IPV4_ICMP_TIMESTAMP_IGNORE_ALL = 126,
};
enum {
diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
index ab6d0d98dbc3..2047ca62b44e 100644
--- a/net/ipv4/icmp.c
+++ b/net/ipv4/icmp.c
@@ -1152,6 +1152,13 @@ EXPORT_SYMBOL_GPL(icmp_build_probe);
static enum skb_drop_reason icmp_timestamp(struct sk_buff *skb)
{
struct icmp_bxm icmp_param;
+ struct net *net;
+
+ net = dev_net(skb_dst(skb)->dev);
+
+ if (READ_ONCE(net->ipv4.sysctl_icmp_timestamp_ignore_all))
+ return SKB_NOT_DROPPED_YET;
+
/*
* Too short.
*/
@@ -1469,6 +1476,9 @@ static int __net_init icmp_sk_init(struct net *net)
net->ipv4.sysctl_icmp_echo_enable_probe = 0;
net->ipv4.sysctl_icmp_echo_ignore_broadcasts = 1;
+ /* Control parameters for TIMESTAMP replies. */
+ net->ipv4.sysctl_icmp_timestamp_ignore_all = 0;
+
/* Control parameter - ignore bogus broadcast responses? */
net->ipv4.sysctl_icmp_ignore_bogus_error_responses = 1;
diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
index 162a0a3b6ba5..b002426c3d9c 100644
--- a/net/ipv4/sysctl_net_ipv4.c
+++ b/net/ipv4/sysctl_net_ipv4.c
@@ -651,6 +651,15 @@ static struct ctl_table ipv4_net_table[] = {
.mode = 0644,
.proc_handler = ipv4_ping_group_range,
},
+ {
+ .procname = "icmp_timestamp_ignore_all",
+ .data = &init_net.ipv4.sysctl_icmp_timestamp_ignore_all,
+ .maxlen = sizeof(u8),
+ .mode = 0644,
+ .proc_handler = proc_dou8vec_minmax,
+ .extra1 = SYSCTL_ZERO,
+ .extra2 = SYSCTL_ONE
+ },
#ifdef CONFIG_NET_L3_MASTER_DEV
{
.procname = "raw_l3mdev_accept",
--
2.25.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH net-next v2] icmp: Add icmp_timestamp_ignore_all to control ICMP_TIMESTAMP
2024-05-20 8:53 [PATCH net-next v2] icmp: Add icmp_timestamp_ignore_all to control ICMP_TIMESTAMP ye.xingchen
@ 2024-05-21 8:57 ` Paolo Abeni
2024-05-21 9:25 ` Florian Westphal
1 sibling, 0 replies; 3+ messages in thread
From: Paolo Abeni @ 2024-05-21 8:57 UTC (permalink / raw)
To: ye.xingchen, davem
Cc: edumazet, kuba, corbet, dsahern, ncardwell, soheil, haiyangz,
lixiaoyan, mfreemon, david.laight, netdev, linux-doc,
linux-kernel, fan.yu9, he.peilin, xu.xin16, yang.yang29,
yang.guang5, zhang.yunkai
On Mon, 2024-05-20 at 16:53 +0800, ye.xingchen@zte.com.cn wrote:
> From: YeXingchen <ye.xingchen@zte.com.cn>
>
> The CVE-1999-0524 vulnerability is associated with ICMP
> timestamp messages, which can be exploited to conduct
> a denial-of-service (DoS) attack. In the Vulnerability
> Priority Rating (VPR) system, this vulnerability was
> rated as a medium risk in May of this year.
> Link:https://www.tenable.com/plugins/nessus/10113
>
> To protect embedded systems that cannot run firewalls
> from attacks exploiting the CVE-1999-0524 vulnerability,
> the icmp_timestamp_ignore_all sysctl is offered as
> an easy solution, which allows all ICMP timestamp
> messages to be ignored, effectively bypassing the
> potential exploitation through the CVE-1999-0524
> vulnerability. It enables these resource-constrained
> systems to disregard all ICMP timestamp messages,
> preventing potential DoS attacks, making it an ideal
> lightweight solution for such environments.
>
> Signed-off-by: YeXingchen <ye.xingchen@zte.com.cn>
> Reviewed-by: xu xin <xu.xin16@zte.com.cn>
> Reviewed-by: zhang yunkai <zhang.yunkai@zte.com.cn>
> Reviewed-by: Fan Yu <fan.yu9@zte.com.cn>
> CC: he peilin <he.peilin@zte.com.cn>
> Cc: Yang Yang <yang.yang29@zte.com.cn>
> Cc: Yang Guang <yang.guang5@zte.com.cn>
## Form letter - net-next-closed
The merge window for v6.10 has begun and we have already posted our
pull
request. Therefore net-next is closed for new drivers, features, code
refactoring and optimizations. We are currently accepting bug fixes
only.
Please repost when net-next reopens after May 26th.
RFC patches sent for review only are obviously welcome at any time.
See:
https://www.kernel.org/doc/html/next/process/maintainer-netdev.html#development-cycle
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH net-next v2] icmp: Add icmp_timestamp_ignore_all to control ICMP_TIMESTAMP
2024-05-20 8:53 [PATCH net-next v2] icmp: Add icmp_timestamp_ignore_all to control ICMP_TIMESTAMP ye.xingchen
2024-05-21 8:57 ` Paolo Abeni
@ 2024-05-21 9:25 ` Florian Westphal
1 sibling, 0 replies; 3+ messages in thread
From: Florian Westphal @ 2024-05-21 9:25 UTC (permalink / raw)
To: ye.xingchen
Cc: davem, edumazet, kuba, pabeni, corbet, dsahern, ncardwell, soheil,
haiyangz, lixiaoyan, mfreemon, david.laight, netdev, linux-doc,
linux-kernel, fan.yu9, he.peilin, xu.xin16, yang.yang29,
yang.guang5, zhang.yunkai
ye.xingchen@zte.com.cn <ye.xingchen@zte.com.cn> wrote:
> From: YeXingchen <ye.xingchen@zte.com.cn>
>
> The CVE-1999-0524 vulnerability is associated with ICMP
> timestamp messages, which can be exploited to conduct
> a denial-of-service (DoS) attack. In the Vulnerability
> Priority Rating (VPR) system, this vulnerability was
> rated as a medium risk in May of this year.
> Link:https://www.tenable.com/plugins/nessus/10113
Please explain at least one scenario where this is a problem.
AFAICS there is none and Linux is not affected by this.
> To protect embedded systems that cannot run firewalls
> from attacks exploiting the CVE-1999-0524 vulnerability,
> the icmp_timestamp_ignore_all sysctl is offered as
If there is an actual problem, then this should be on by default
or the entire feature should be removed.
But I don't think there is a problem in the first place.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2024-05-21 9:26 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-05-20 8:53 [PATCH net-next v2] icmp: Add icmp_timestamp_ignore_all to control ICMP_TIMESTAMP ye.xingchen
2024-05-21 8:57 ` Paolo Abeni
2024-05-21 9:25 ` Florian Westphal
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).